The topic of Security Bite: What stands out in the iOS 26.4 security release notes is currently the subject of lively debate — readers and analysts are keeping a close eye on developments.
This is taking place in a dynamic environment: companies’ decisions and competitors’ reactions can quickly change the picture.
9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
On Tuesday, along with the wide release of iOS 26.4, which had been in beta up until then, Apple dropped a hefty list of security patches addressing over 35 vulnerabilities. While most single-point releases usually come with a large number of fixes, there are a handful of notable ones here I want to bring attention to.
About Security Bite: The weekly Security Bite column and biweekly podcast is your deep dive into the ever-evolving world of Apple security. Arin Waichulis is a degreed IT professional and third-year security writer at 9to5Mac. Here, Arin takes a bite out of the most critical headlines impacting privacy and security so you can stay better informed.
This is the biggest one. The vulnerability (CVE-2026-28895) allowed someone with physical access to an iPhone to bypass biometrically protected apps using only the passcode, even with Stolen Device Protection enabled. This means apps gated by the ‘Require Face ID’ option, which users can enable by long pressing an app icon, could still be accessed using just the device’s passcode.
If you’ve been following Security Bite, I recently broke down new Stolen Device Protection changes back in February. One of which is that Apple now enables the feature by default in iOS 26.4.
The whole point of Stolen Device Protection is in the name. It’s there to make a stolen iPhone useless even if the thief has your passcode.
A bypass like the one above undermines the feature’s premise entirely. Apple says the fix involved improved checks, and the issue is now patched.
If you’re interested in how Stolen Device Protection came to be, here’s the backstory.
CVE-2026-28864 is another one that I find interesting. There’s not a whole lot of details on this one, but according to the data Apple, a local attacker could gain access to Keychain items due to insufficient permissions checking.
Your Keychain stores passwords, encryption keys, tokens, and more. A flaw here is a pretty serious local privilege escalation, and while it requires someone to physically have your device in hand, that’s exactly a scenario Stolen Device Protection is designed for.
CVE-2026-20692 revealed that “Hide IP Address” and “Block All Remote Content” may not have applied to all mail content. So if you had those toggled on in Mail, there’s a chance that your IP address wasn’t hidden from senders, and remote loads were still getting through.
It’s not clear how widespread this issue was, but silent features silently not working is never good.
CVE-2026-20688 allowed an app to break out of its sandbox via a path handling issue in the Printing framework. This is part of AirPrint that lets users wirelessly print things.
Sandbox escapes are always notable because they’re a critical link in exploit chains. Once you’re out of the sandbox, the attack surface opens up considerably.
Seven CVEs plus a sandboxing issue. The highlights include a Same Origin Policy bypass (CVE-2026-20643), a Content Security Policy bypass (CVE-2026-20665), and a bug that allowed a malicious website to process restricted web content outside the sandbox (CVE-2026-28859).
None of these are listed as actively exploited in the wild, which is the good news. But the severity of several of these is notable for a single-point release.
A Stolen Device Protection bypass, Keychain access issues, and Mail privacy settings silently failing are not your run-of-the-mill issues that users typically face.
You can view the full list of patches for iOS 26.4, macOS 26.4, tvOS 26.4, iPadOS 26.4, and other platforms on Apple’s security releases page.
Why it matters
News like this often changes audience expectations and competitors’ plans.
When one player makes a move, others usually react — it is worth reading the event in context.
What to look out for next
The full picture will become clear in time, but the headline already shows the dynamics of the industry.
Further statements and user reactions will add to the story.